US 7551740 B2 Abstract A weighted secret sharing and reconstructing method includes encoding the secret using a predetermined code, producing voices so that different weights are assigned to errors in an error vector according to locations of the errors, encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants.
Claims(16) 1. A method of sharing a secret, comprising:
using a computer to perform the operations of:
encoding the secret using a predetermined code;
producing voices so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector; and
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants N,
wherein code blocks are determined by a generator polynomial of the predetermined code, and the predetermined code has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are set to assign the different weights to the errors, which correspond to each code block in the error vector, so that different weights are given to errors in an error vector according to locations of the errors,
the error vector e is known to the plurality of participants N, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N= a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τ
_{i}(i=1, 2, 3. . . , N) is given to each secret share s_{i }according to a location i in the error vector, as set forth in Equation 1 below:(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa codewith a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t
_{1}, t_{2}, . . ., t_{l}} that satisfies following Equation (2) with respect to the respective code blocks a_{1} ^{(l)}a_{2} ^{(l) }. . . a_{n} _{ l } ^{(l) }is corrected:
(deg g(x))/2≧t _{l}τ_{l} +t _{2}τ_{2} + . . . +t _{l}τ_{l} (2),wherein t
_{1}, t_{2}, . . . , and t_{l }denote numbers of errors contained in the code blocks with lengths of n_{1}, n_{2}, . . . , and n_{l}, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.2. A method of reconstructing a secret distributed to participants after encoding the secret using an encoded secret, generating voices so that different weights are assigned to errors in an error vector, and encrypting the encoded secret using the error vector, the method comprising:
using a computer to perform the operations of:
determining a number of voices required to decode the code;
selecting a portion of the participants according to the determined number of voices;
collecting the encrypted encodedsecret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein the different weights are given to the errors in the error vector e according to locations of the errors,
and using a generalized Goppa code to correct errors, a number of voices allocated to the participants is determined by a degree of a locator, wherein the degree of the locator corresponds to a location j of an error in the error vector e and is known to the participants, a (k,T) or (K,N) weighted secret sharing scheme is realized according to the following: T denotes a total number of voices used in the scheme and is equivalent to a weight given to the error vector e such that T=t
_{1}τ_{1}+t_{2}τ_{2}+ . . .+t_{l}τ_{l}, wherein t_{i }denotes a number of non-zero values of the error vector e that corresponds to locations of locator polynomials with a degree of τ_{l}, N denotes a number of the participants that is equal to a sum of t_{1}, t_{2}, . . . , and t_{l}, k denotes a minimum number of voices required for secret reconstruction that is equal to a sum of t_{1}τ_{1}, t_{2}τ_{2}, . . . , and t_{l}τ_{l}, k_{i }denotes a number of participants with voices of τ_{i }that is equal to or larger than T−(deg g(x))/2, and in a case of a binary Goppa code with a separable Goppa polynomial, k≧T−(deg g(x)), K denotes a minimum number of participants required for secret reconstruction wherein the minimum number is equal to a sum of k_{1}, k_{2}, . . . , and k_{l}.3. The method of
4. The method of
5. A method of sharing and reconstructing a secret, comprising:
using a computer to perform the operations of:
encoding the secret using a predetermined code;
generating voices so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector;
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to participants;
determining a number of voices required to decode the predetermined code;
selecting a portion of the participants by the determined number of voices;
collecting the encrypted encoded secret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein code blocks are determined by a generator polynomial of the code, and the encoded secret has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are determined so that different weights are assigned to the errors, which correspond to each code block in the error vector,
the error vector e is known to the participants, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N=a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τ
_{i}(i =1,2, 3 . . . , N) is given to each secret share s_{i }according to a location i in the error vector, as set forth in Equation (1) below:(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t
_{1}, t_{2}, . . . , t_{l}} that satisfies following Equation (2) with respect to the respective code blocks a_{1} ^{(l)}a_{2} ^{(l)}. . . a_{n} _{ l } ^{(l) }is corrected:
(deg g(x))/2≧t _{1}τ_{1} +t _{2}τ_{2} + . . . +t _{l}τ_{l} (2),wherein t
_{1}, t_{2}, . . . , and t_{l }denote numbers of errors contained in the code blocks with lengths of n_{1}, n_{2}, . . . , and n_{l}, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.6. The method of
7. The method of
8. The method of
9. A computer-readable storage medium having embodied thereon a computer program to share a secret, the computer program executing:
encoding the secret using a predetermined code;
producing voices so that different weights are assigned to errors in an error vector according to locations of the errors in the errors in the error vector; and
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants,
wherein code blocks are determined by a generator polynomial of the predetermined code, and the predetermined code has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are set to assign different weights to the errors, which correspond to each code block in the error vector, so that different weights are given to errors in an error vector according to locations of the errors,
the error vector e is known to the plurality of participants, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N=a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τ
_{i}(i=1, 2, 3 . . . , N) is given to each secret share s_{i }according to a location i in the error vector, as set forth in Equation (1) below:(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t
_{1}, t_{2}, . . . , t_{l}} that satisfies following Equation (2) with respect to the respective code blocks a_{1} ^{(l)}a_{2} ^{(l) }. . . a_{n} _{ l } ^{(l) }is corrected:
(deg g(x))/2≧t _{1}τ_{1} +t _{2}τ_{2} + . . . +t _{l}τ_{l} (2),wherein t
_{1}, t_{2}, . . . , and t_{l }denote numbers of errors contained in the code blocks with lengths of n_{1}, n_{2}, . . . , and n_{l}, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.10. A computer-readable storage medium having embodied thereon a computer program to reconstruct a secret distributed to participants after encoding the secret using an encoded secret, generating voices so that different weights are assigned to errors in an error vector, and encrypting the encoded secret using the error vector, the computer program executing:
determining a number of voices required to decode the code;
selecting a portion of the participants according to the determined number of voices;
collecting the encrypted encoded secret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein the different weights are given to the errors in the error vector according to locations of the errors,
and using a generalized Goppa code to correct errors, a number of voices allocated to the participants is determined by a degree of a locator, wherein the degree of the locator corresponds to a location j of an error in the error vector e and is known to the participants, a (k,T) or (K,N) weighted secret sharing scheme is realized according to the following: T denotes a total number of voices used in the scheme and is equivalent to a weight given to the error vector e such that T=t
_{1}τ_{1}+t_{2}τ_{2}+ . . . +t_{l}τ_{l}, wherein t_{i }denotes a number of non-zero values of the error vector e that corresponds to locations of locator polynomials with a degree of τ_{1}, N denotes a number of the participants that is equal to a sum of t_{1}, t_{2}, . . . , and t_{l}, k denotes a minimum number of voices required for secret reconstruction that is equal to a sum of t_{1}τ_{1}, t_{2}τ_{2}, . . . , and t_{l}τ_{l}, k_{i }denotes a number of participants with voices of τ_{i }that is equal to or larger than T−(deg g(x))/2, and in a case of a binary Goppa code with a separable Goppa polynomial, k≧T−(deg g(x)), K denotes a minimum number of participants required for secret reconstruction wherein the minimum number is equal to a sum of k_{1}, k_{2}, . . . , and k_{l}.11. The computer-readable storage medium of
12. The computer-readable storage medium of
13. A computer-readable storage medium having embodied thereon a computer program to share and reconstruct a secret, the computer program executing:
encoding the secret using a predetermined code;
generating voices so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector;
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to participants;
determining a number of voices required to decode the predetermined code;
selecting a portion of the participants by the determined number of voices;
collecting the encrypted encoded secret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein code blocks are determined by a generator polynomial of the code, and the encoded secret has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are determined so that different weights are assigned to the errors, which correspond to each code block in the error vector so that different weights are assigned to the errors, which correspond to each code block in the error vector,
the error vector e is known to the participants, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N= a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τ
_{i}(i=1, 2, 3 . . . , N) is given to each secret share s_{i }according to a location i in the error vector, as set forth in Equation (1) below:(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t
_{1}, t_{2}, . . . , t_{l}} that satisfies following Equation (2) with respect to the respective code blocks a_{1} ^{(l)}a_{2} ^{(l) }. . . a_{n} _{ l } ^{(l) }is corrected:
(deg g(x))/2≧t _{1}τ_{1} +t _{2}τ_{2} + . . . +t _{l}τ_{l} (2),_{1}, t_{2}, . . . , and t_{l }denote numbers of errors contained in the code blocks with lengths of n_{1}, n_{2}, . . . , and n_{l}, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.14. The computer-readable storage medium of
15. The computer-readable storage medium of
16. The computer-readable storage medium of
Description This application claims the priority of Korean Patent Application No. 2003-70026 filed on Oct. 8, 2003 in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference. 1. Field of the Invention The present invention relates to a weighted secret sharing and reconstructing method, and more particularly, to a method of sharing and reconstructing a secret using a weighted error vector. 2. Description of the Related Art When there are a set R of N participants and a set L of subsets of the N participants, a threshold secret sharing scheme distributes shares of a secret to the N participants and allows the secret to be reconstructed when subsets of participants belong to the set L. An ideal threshold secret sharing scheme has the following characteristics: (i) all participants must take part in key agreement of the set R; (ii) a master private key of the set R is not disclosed to all the participants; (iii) at least a predetermined number (i.e., a threshold) of participants must participate in a process of decrypting a message encrypted by the master private key; (iv) at least a predetermined number (i.e., a threshold) of participants must participate in a signature procedure of the message using the master private key; (v) after setting the scheme, the process of decryption or signature of the message by the participants whose subsets belong to the set L is non-interactive; and (vi) the master private key or a public key shall not be changed even when a new participant is included in the set R or a participant belonging to the set R leaves the set R. A (k,N) threshold secret sharing scheme is another example of the threshold secret sharing scheme. The (k,N) threshold secret sharing scheme allows a secret to be reconstructed when k of N dispersed secret shares are collected. However, the (k,N) threshold secret sharing scheme is disadvantageous in that at least k secret shares are required to reconstruct a secret since N secret shares with equal importance are distributed to N participants. For instance, it is impossible to completely reconstruct the secret when (k−1) secret shares are collected and combined. Alternatively, a hierarchical threshold secret sharing scheme, which is yet another example of the threshold secret sharing scheme and allows each level of a multi-level structure to share a secret, needs to give a hierarchical grant to a participant who desires to access the multi-level structure. The present invention provides a weighted secret sharing and reconstructing method in which secret shares with different weights are distributed to participants, so that a secret may be completely reconstructed even when (k−1) secret shares are collected and combined. According to an aspect of the present invention, a method of sharing a secret, includes encoding the secret using a predetermined code, producing voices so that different weights are given to errors in an error vector according to locations of the errors, encrypting the code using the error vector, and distributing a result of encryption to a plurality of participants. According to another aspect of the present invention, a method reconstructs a secret distributed to participants after encoding the secret using a predetermined code, generating voices so that different weights are given to errors in an error vector according to locations of the errors, and encrypting the code using the error vector. The method includes determining a number of voices required to decode the code, selecting a part of participants according to the determined number of voices, collecting the secret from the selected participants, and reconstructing the secret by decrypting and error-correction decoding the secret. According to yet another aspect of the present invention, a method of sharing and reconstructing a secret includes encoding the secret using a predetermined code, producing voices so that different weights are given to errors in an error vector according to locations of the errors, encrypting the code using the error vector and distributing a result of encrypting to participants; determining a number of voices required to decode the code; selecting parts of the participants by the determined number of voices; collecting the secret from the selected participants, and reconstructing the secret by decrypting and error-correction decoding the secret. Additional aspects and/or advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention. These and/or other aspects and advantages of the invention will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which: Reference will now be made in detail to the embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The embodiments are described below to explain the present invention by referring to the figures. More specifically, a secret S is divided into N secret shares, and the N secret shares are distributed to N participants who are interlinked via a channel, respectively. The secret S is encrypted using an error vector e and distributed, according to the McEliece technique. Every participant may access the secret S. A weight (wt) τ According to the McEliece technique, when one of participants who receives the secret shares desires to reconstruct the secret S, the participant reconstructs the secret S using his/her secret share and (K−1) secret shares. In this case, weights given to the secret shares may be expressed as follows: To reconstruct the secret S, one of the N participants collects (K−1) encrypted secret shares from K−1 participants via a public communication channel. Next, the participant reconstructs the secret S by combining his/her secret share with the collected (K−1) secret shares and decrypting a result of the combination. To encrypt and decrypt the secret S, the present invention uses a generalized Goppa code. The q-ary generalized Goppa code with a length n is defined by an n-type vector α=(α The generalized (L,g) Goppa code has a minimum distance of d In the generalized Goppa code for enabling error correction, a locator set L may be determined with respect to the Goppa polynomial G(x), as follows: If a vector a=(a
For the generalized Goppa code, it is possible to estimate its minimum distance. Using the generalized Goppa code with the Goppa polynomial g(x) and the locator set L, it is possible to correct an arbitrary error set T={t In the case of a generalized binary Goppa code, (deg g(x))/2 presented in Equation (8) is converted into (2 deg g(x))/2. It is assumed that there is generalized Goppa code of (36, 18, 7) where n In connection with the code block of the length n In connection with the code block of the length n d≧7 is obtained by Equation (4) and the binary generalized Goppa code allows correction of an error set T={t
When the generalized Goppa code has a locator set of a third degree polynomial, it is possible to correct an error set T={t A threshold secret sharing method adopting using a public key scheme, according to the present invention, may be realized using the Goppa code. In the method, an error vector e is known to all participants. Also, by properly selecting code parameters, the (K,N) threshold secret sharing scheme is realizable, where N=wt(e). Error correcting code may allow (d−1) or less errors to be corrected. Accordingly, a number of participants required to reconstruct a secret is at least K that satisfies wt(e)−K (d−1)/2, i.e., 2K 2 wt(e)−d+1. The minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x). There may be a situation in which some of the participants who are taking part in secret decryption provide wrong values of their secret shares. For instance, when k The above scheme may be generalized for a case wherein participants have different numbers of voices. Here, a voice is differentiated from a share, and a plurality of voices may be allocated to a secret share. For instance, when using the generalized Goppa code for correcting errors, a number of voices allocated to the participants may be determined by the degree of a locator. The degree of the locator corresponds to a location j of an error in the error vector e and is known to the participants. In a case of using the generalized Goppa code, the (k,T) or (K,N) weighted secret sharing scheme may be realized according to the following conditions. In the (k,T) or (K,N) weighted secret sharing scheme, T denotes a total number of voices used in the scheme and is equivalent to a weight given to the error vector e. That is, T=t Hence, according to an embodiment of the present invention, k voices, rather than k secret shares, are required to reconstruct a secret, and participants may have different numbers of voices. A size of a secret share is not related to a weight or a number of voices. To reconstruct the secret, a number (k, T) of voices required to decode the secret is determined (operation After determining the number k In detail, The present invention may be embodied as a program stored on a computer readable medium that can be run on a general computer. Here, the computer readable medium includes, but is not limited to, storage media such as magnetic storage media (e.g., ROM's, floppy disks, hard disks, and the like), optically readable media (e.g., CD-ROMs, DVDs, etc.), and carrier waves (e.g., transmission over the Internet). The present invention may also be embodied as a computer readable program code unit stored on a computer readable medium, for causing a number of computer systems connected via a network to affect distributed processing. As described above, according to the present invention, a scheme may be realized wherein a weight of secret share does not depend on its size by using an error correcting code with an unequal error correction capability. Further, a weighted secret sharing scheme according to the present invention provides a constructive method to utilize parameters of a (K, N) weighted secret sharing scheme to share and reconstruct a secret. Although a few embodiments of the present invention have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the claims and their equivalents. Patent Citations
Non-Patent Citations
Referenced by
Classifications Legal Events
Rotate |